Detections
Analytics

2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes

Information

In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored.

Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner are project owners.

The project owner has all the privileges on the project the role belongs to. These are summarized below:

 - All viewer permissions on all GCP Services within the project
 - Permissions for actions that modify the state of all GCP services within the project
 - Manage roles and permissions for a project and all resources within the project
 - Set up billing for a project

Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.

Project ownership has the highest level of privileges on a project. To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.

 - Sending project ownership invites
 - Acceptance/Rejection of project ownership invite by user
 - Adding role\\Owner to a user/service-account
 - Removing a user/Service account from role\\Owner

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From Google Cloud Console

Create the prescribed log metric:

 -

Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".

 -

Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter

 -

Clear any text and add:

(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") <xhtml:ol start="4"> -

Click Submit Filter The logs display based on the filter text entered by the user.

 -

In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and the Type to Counter This ensures that the log metric counts the number of log entries matching the advanced logs query.

 -

Click Create Metric

Create the display prescribed Alert Policy:

 -

Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics .

 -

Click the 3-dot icon in the rightmost column for the desired metric and select Create alert from Metric A new page opens.

 -

Fill out the alert policy configuration and click Save Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:

Set `Aggregator` to `Count`

Set `Configuration`:

- Condition: above

- Threshold: 0

- For: most recent value <xhtml:ol start="4"> -

Configure the desired notifications channels in the section Notifications

 -

Name the policy and click Save

From Google Cloud CLI

Create a prescribed Log Metric:

 - Use the command: gcloud beta logging metrics create
 - Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create

Create prescribed Alert Policy

 - Use the command: gcloud alpha monitoring policies create
 - Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create

Impact:

Enabling of logging may result in your project being charged for the additional logs usage.

See Also

https://workbench.cisecurity.org/benchmarks/17308

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: GCP

Control ID: 26025b1b6ae3026110a667f5adb3fce3666d8ae70ac3100e0aca7ac5cc2c7585